SlideShare a Scribd company logo
1 of 23
Web security
      Confoo Conference 2012 – Montréal


Antonio Fontes (L7)
David Mirza (Subgraph)
Syllabus
•   Who are we?
•   Why are we here? What has changed?
•   Motivations
•   Impacts
•   Opportunities: how can you/we help?
About us
• Antonio



• David
History
• Fun pranks
• Earlyattacks: host/network intrusion
• Now: web application vulnerabilities
Now
• OWASP Top 10
  – XSS
  – SQLi
  – CSRF
  – OS Command injection
  – Etc..
Why?
• Mature network/host layer security
• All business logicis/has moved to the web
  – alongwith the data…
• Web apps are THE remaining open door
• More people understandthereis « value »
  – General awareness
Motivations
•   Money
•   Political/Ideological grounds
•   Fame, fun, curiosity
•   Industrial espionage
•   Supporting other forms of organized crime
•   State / Corporate surveillance
•   Randomness
Source: arstechnica.com / nov.2011
Do you feel motivated now?




792 Euro = 1’051 CAD
4 yearsoperation = 14m$  3.5m/year
3.5m / 7 people  500’000 CAD/year  31’320
Euro/month  40 times the avg. income
Impacts
•   Financial
•   Reputation
•   Health/integrity safety
•   Legal/Fines
•   Regulation / Compliance
•   Operations / Productivity
Impacts
Average breach cost 7M




Wost incident cost
over $35 million
Impacts
• Averagecost of a data breach (in Usm)

    $40.0

    $30.0
                                 Average
    $20.0
                                 Maximum
    $10.0

     $0.0
                2010
Perception of Insecurity
“I have a Mac”
What can we do about it?
• Technical controls
   – Web application assessment
       • DAST
       • SAST
       • Hybrid
   – WAFs, IPSs, next generation firewalls, DLP
• Process Controls
   – Risk assessment processes
       • SDLC
       • Penetration testing
• Awareness!
   – Community: OWASP
   – Training
Conclusion

Analyze         Design       Implement               Verify               Deploy             Respond


   Security                   Secure                      Security                            Incident
requirements    Secure        coding                       testing         Secure            response
                design                                                   deployment
     Risk                 Design                                                           Vulnerability
                                          Code review                                      management
   analysis     Threat    review                                         Risk
               modeling                                              assessment       Penetration
                                                                                        testing

                                   Training & awareness

                                    Policy / Compliance

                              Governance (Strategy , Metrics)


                                                                                                     21
Threat Horizon

                                          Cryptography in Web Applications

       Code Sharing


                                    Backdoored Code on Repositories


Mobile Application backends


                                              Data leaks / Password leaks
        Clickjacking / Redressing
Duo Panel
• Questions?




• Contact
  – David: @attractr / www.subgraph.com
  – Antonio: @starbuck3000 / www.L7securite.ch

More Related Content

What's hot

Security Operations
Security OperationsSecurity Operations
Security Operations
ankitmehta21
 

What's hot (20)

Next-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway ProtectionNext-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway Protection
 
Web Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationWeb Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combination
 
Microservices Security
Microservices SecurityMicroservices Security
Microservices Security
 
FortiWeb
FortiWebFortiWeb
FortiWeb
 
Next Generation Firewall and IPS
Next Generation Firewall and IPSNext Generation Firewall and IPS
Next Generation Firewall and IPS
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id concept
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation Firewall
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
 
Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1
 
Threat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine LearningThreat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine Learning
 
Security Operations
Security OperationsSecurity Operations
Security Operations
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
 
Fine-grained policy enforcement for untrusted software
Fine-grained policy enforcement for untrusted softwareFine-grained policy enforcement for untrusted software
Fine-grained policy enforcement for untrusted software
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
 

Viewers also liked (7)

Avoid Getting Hacked! Presentation on Joomla! Web Security
Avoid Getting Hacked! Presentation on Joomla! Web Security Avoid Getting Hacked! Presentation on Joomla! Web Security
Avoid Getting Hacked! Presentation on Joomla! Web Security
 
Web Services Security - Presentation
Web Services Security - PresentationWeb Services Security - Presentation
Web Services Security - Presentation
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
 
Firewall
Firewall Firewall
Firewall
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Web Security
Web SecurityWeb Security
Web Security
 

Similar to Confoo 2012 - Web security keynote

Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
sucesuminas
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
Jorge Sebastiao
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
Interop
 

Similar to Confoo 2012 - Web security keynote (20)

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS   ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS   ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web Applications
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
2019 DerbyCon - Ryan Elkins - Scientific Computing for Information Security
2019 DerbyCon - Ryan Elkins - Scientific Computing for Information Security2019 DerbyCon - Ryan Elkins - Scientific Computing for Information Security
2019 DerbyCon - Ryan Elkins - Scientific Computing for Information Security
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenario
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenario
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud Security
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonPCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
Reducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationReducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformation
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 

More from Antonio Fontes

More from Antonio Fontes (15)

Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défense
 
Owasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalOwasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-final
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Modéliser les menaces d'une application web
Modéliser les menaces d'une application webModéliser les menaces d'une application web
Modéliser les menaces d'une application web
 
Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case study
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...
 
Meet the OWASP
Meet the OWASPMeet the OWASP
Meet the OWASP
 
IT Security Days - Threat Modeling
IT Security Days - Threat ModelingIT Security Days - Threat Modeling
IT Security Days - Threat Modeling
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
The top 10 web application intrusion techniques
The top 10 web application intrusion techniquesThe top 10 web application intrusion techniques
The top 10 web application intrusion techniques
 
Cyber-attaques: mise au point
Cyber-attaques: mise au pointCyber-attaques: mise au point
Cyber-attaques: mise au point
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?
 
Owasp Top10 2010 rc1
Owasp Top10 2010 rc1Owasp Top10 2010 rc1
Owasp Top10 2010 rc1
 

Recently uploaded

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 

Recently uploaded (20)

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 

Confoo 2012 - Web security keynote

  • 1. Web security Confoo Conference 2012 – Montréal Antonio Fontes (L7) David Mirza (Subgraph)
  • 2. Syllabus • Who are we? • Why are we here? What has changed? • Motivations • Impacts • Opportunities: how can you/we help?
  • 4. History • Fun pranks • Earlyattacks: host/network intrusion • Now: web application vulnerabilities
  • 5. Now • OWASP Top 10 – XSS – SQLi – CSRF – OS Command injection – Etc..
  • 6. Why? • Mature network/host layer security • All business logicis/has moved to the web – alongwith the data… • Web apps are THE remaining open door • More people understandthereis « value » – General awareness
  • 7. Motivations • Money • Political/Ideological grounds • Fame, fun, curiosity • Industrial espionage • Supporting other forms of organized crime • State / Corporate surveillance • Randomness
  • 8.
  • 10. Do you feel motivated now? 792 Euro = 1’051 CAD 4 yearsoperation = 14m$  3.5m/year 3.5m / 7 people  500’000 CAD/year  31’320 Euro/month  40 times the avg. income
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16. Impacts • Financial • Reputation • Health/integrity safety • Legal/Fines • Regulation / Compliance • Operations / Productivity
  • 17. Impacts Average breach cost 7M Wost incident cost over $35 million
  • 18. Impacts • Averagecost of a data breach (in Usm) $40.0 $30.0 Average $20.0 Maximum $10.0 $0.0 2010
  • 20. What can we do about it? • Technical controls – Web application assessment • DAST • SAST • Hybrid – WAFs, IPSs, next generation firewalls, DLP • Process Controls – Risk assessment processes • SDLC • Penetration testing • Awareness! – Community: OWASP – Training
  • 21. Conclusion Analyze Design Implement Verify Deploy Respond Security Secure Security Incident requirements Secure coding testing Secure response design deployment Risk Design Vulnerability Code review management analysis Threat review Risk modeling assessment Penetration testing Training & awareness Policy / Compliance Governance (Strategy , Metrics) 21
  • 22. Threat Horizon Cryptography in Web Applications Code Sharing Backdoored Code on Repositories Mobile Application backends Data leaks / Password leaks Clickjacking / Redressing
  • 23. Duo Panel • Questions? • Contact – David: @attractr / www.subgraph.com – Antonio: @starbuck3000 / www.L7securite.ch